CVE-2022-48755 powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06

2024-06-2011:13:35

Linux

www.cve.org

linux kernel

powerpc64

bpf

vulnerability

isa v2.06

crash

test_bpf

ppc64

e5500

processor

illegal instruction

0.0004 Low

EPSS

Percentile

15.7%

JSON

In the Linux kernel, the following vulnerability has been resolved:

powerpc64/bpf: Limit ‘ldbrx’ to processors compliant with ISA v2.06

Johan reported the below crash with test_bpf on ppc64 e5500:

test_bpf: #296 ALU_END_FROM_LE 64: 0x0123456789abcdef -> 0x67452301 jited:1
Oops: Exception in kernel mode, sig: 4 [#1]
BE PAGE_SIZE=4K SMP NR_CPUS=24 QEMU e500
Modules linked in: test_bpf(+)
CPU: 0 PID: 76 Comm: insmod Not tainted 5.14.0-03771-g98c2059e008a-dirty #1
NIP: 8000000000061c3c LR: 80000000006dea64 CTR: 8000000000061c18
REGS: c0000000032d3420 TRAP: 0700 Not tainted (5.14.0-03771-g98c2059e008a-dirty)
MSR: 0000000080089000 <EE,ME> CR: 88002822 XER: 20000000 IRQMASK: 0
<…>
NIP [8000000000061c3c] 0x8000000000061c3c
LR [80000000006dea64] .__run_one+0x104/0x17c [test_bpf]
Call Trace:
.__run_one+0x60/0x17c [test_bpf] (unreliable)
.test_bpf_init+0x6a8/0xdc8 [test_bpf]
.do_one_initcall+0x6c/0x28c
.do_init_module+0x68/0x28c
.load_module+0x2460/0x2abc
.__do_sys_init_module+0x120/0x18c
.system_call_exception+0x110/0x1b8
system_call_common+0xf0/0x210
— interrupt: c00 at 0x101d0acc
<…>
—[ end trace 47b2bf19090bb3d0 ]—

Illegal instruction

The illegal instruction turned out to be ‘ldbrx’ emitted for
BPF_FROM_[L|B]E, which was only introduced in ISA v2.06. Guard use of
the same and implement an alternative approach for older processors.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/powerpc/include/asm/ppc-opcode.h",
      "arch/powerpc/net/bpf_jit_comp64.c"
    ],
    "versions": [
      {
        "version": "156d0e290e96",
        "lessThan": "129c71829d7f",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "156d0e290e96",
        "lessThan": "3bfbc00587dc",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "156d0e290e96",
        "lessThan": "aaccfeeee163",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "156d0e290e96",
        "lessThan": "3f5f766d5f7f",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/powerpc/include/asm/ppc-opcode.h",
      "arch/powerpc/net/bpf_jit_comp64.c"
    ],
    "versions": [
      {
        "version": "4.8",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "4.8",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.96",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.19",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.16.5",
        "lessThanOrEqual": "5.16.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.17",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]